Win32 Programming
Download
Report
Transcript Win32 Programming
Secure Operating Systems
Lesson E: Windows Security - Overview
Where are we?
We’ve discovered SELinux is moderately
cool
How does this compare to Windows? There’s
a lot here, so we’ll just scratch the surface
Windows: History
So, Windows really does have a long history
DOS survived for a long time, until we moved
on to the NT core
The current version of Windows 8 has finally
started to move away from the backward
compatibility that has dogged us
Bitlocker
Full hard drive encryption is actually pretty
cool: Bitlocker
Can leverage the TPM, which is nice
Can provide remote attestation for hardware and
software
Not only for disk encryption; has been used for
DRM too
Can use in combination with a USB token
TPM Structure
Picture from Guillaume Piolle
Windows Integrity Control
Although we don’t think about them,
Windows uses MACLs (Mandatory Access
Control Lists)
Thus, the OS can make a security decision
based on how trusted an object is
Let’s take a look with Process Explorer (from
sysinternals)
SACLS and DACLS
SACLS beat DACLS
System Access Control List
Discretionary Access Control List
Thus, even if the DACL grants access, the SACL must
also grant access for the operation to go through
This is all documented well by MS…
http://msdn.microsoft.com/enus/library/windows/desktop/bb648648(v=vs.85).aspx
Enables things like
SYSTEM_MANDATORY_LABEL_NO_READ_UP
Managing all of this
Of course, we need
Run As… administrator
icacls templow
/setintegritylevel L for example
But of course, we never use this, except for
using the defaults, which seems like a pity,
eh?
There’s a philosophical point here
UAC (Woohoo!)
Everyone seems to hate UAC, but it does help
in terms of users making mistakes
It’s certainly not bulletproof (cue Shaun)
The idea is the principle of least privilege
The problem is that we don’t read the popups
very well
The basic idea: run with lower privileges, and
then upgrade as you need it
Service Resource Isolation
What happens when a service gets broken in to?
Let’s look
sc query type= service | more
sc showsid AdobeActiveFileMonitor9.0
psgetsid <sid>
Can create a *restricted* SID
Two checks: one on the enabled token, one on the
restricted SID
Service Refactoring
Basically, run services with base least privilege
New service hosts (low to high):
LocalServiceNoNetwork
LocalServiceRestricted
LocalServiceNetworkRestricted
NetworkServiceRestricted
NetworkServiceNetworkRestricted
LocalSystemNetworkRestricted
Restricted Network Access
Network restriction policies can be applied to
services too
Direction: ingress and egress
Protocol: what protocols should be allowed?
Principal: Rules apply to specific users
Interface: WLAN, Wireless, LAN etc.
Buffer Overflows
Let’s remind ourselves how buffer overflows
work
The compiler now adds Cookies… let’s look
at the code
Questions & Comments
What do you want to know?